There is net/sniffnet.
There is also security/suricata which you can run in just IDS mode to get all the info.
I started wiring a read-only GUI for that. Most of the message dispatching, processing etc. is in place. Pretty much only the GUI stuff is missing and I feel bored by doing GUI stuff so we probably won't see that one any time soon
thread 'main' panicked at 'Failed to initialize any backend! Wayland status: XdgRuntimeDirNotSet X11 status: XOpenDisplayFailed', /wrkdirs/usr/ports/net/sniffnet/work/sniffnet-1.2.1/cargo-crates/winit-0.27.5/src/platform_impl/linux/mod.rs:719:9
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
networkproguide.com
These things together sound a bit like a red flag to me. You're the admin of a firewall servicing 400 users while also having trouble installing & configuring a piece of software available via ports?
For simply collecting such flow data (at scale!) you might want to look at collecting netflow data from various points in your network (e.g. edge routers, gateways and switches) via net-mgmt/nfdump. There are some visualization tools like net-mgmt/nfsen or net-mgmt/flowviewer, but netflow data can also be fed (directly or pre-processed/filtered) to e.g. zabbix for moitoring & alerting.
, yes, I am reading about suricata , and trying to make it work,but is hard work..very hard